(Incomplete) ssh-askpass(1) implementation for macOS.

This only implements support for SSH_ASKPASS_PROMPT=none, which is used for U2F touch reminders.

mac-ssh-askpass uses the Swift Package Manager for compilation:

$ swift build -c release

This repo also includes a Nix derivation, along with a flake that defines packages for aarch64-darwin and x86_64-darwin.

The following environment variables need to be set for ssh to use askpass:

• SSH_ASKPASS: Should be set to the name of the mac-ssh-askpass binary (if it's in PATH). An absolute path can also be used.
• SSH_ASKPASS_REQUIRE: Should be set to force as macOS doesn't set DISPLAY.

For U2F, ssh will only use askpass for agent signing requests. You'll need to add your ED25519-SK/ECDSA-SK keys to an agent and configure ssh to use your agent. Note that as of macOS 13, the built-in ssh-agent doesn't support ED25519-SK/ECDSA-SK keys.

Note that ssh uses ssh-askpass(1) to confirm host key fingerprints. As mac-ssh-askpass doesn't support this, host key verification will fail with Host key verification failed..

A WIP patch by OpenSSH developer @djmdjm extends the SSH_ASKPASS_REQUIRE variable to allow the use of ssh-askpass(1) to be restricted. By setting SSH_ASKPASS_REQUIRE to notify:force, mac-ssh-askpass can be used for U2F touch notifications, while other readpass prompts will use the terminal.

A rebased version of this patch series for OpenSSH 9.8p1 is available here.